$fully_updated

kruz1337 · Nov 14, 2022 · f1f5298 · f1f5298
1 parent 13379c0
commit f1f5298
Show file tree

Hide file tree

Showing 13 changed files with 488 additions and 266 deletions.
diff --git a/Kruzinjector/Execution.cpp b/Kruzinjector/Execution.cpp
@@ -0,0 +1,158 @@
+#include "Execution.h"
+
+bool CreateThreadEx(HANDLE hProcess, void* shellCode, void* targetBase)
+{
+	HANDLE thread = CreateRemoteThread(hProcess, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(shellCode), targetBase, 0, nullptr);
+	if (!thread)
+	{
+		printf("[-] Remote thread creation failed. (0x%X)\n", GetLastError());
+		VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+		return false;
+	}
+	CloseHandle(thread);
+}
+
+bool HijackThread(HANDLE hProcess, void* shellCode, void* targetBase)
+{
+	void* codeCave = VirtualAllocEx(hProcess, nullptr, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	if (!codeCave)
+	{
+		printf("[-] Failed to open code cave. (0x%X)\n", GetLastError());
+		VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+		return false;
+	}
+
+	DWORD processId = GetProcessId(hProcess);
+	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
+	HANDLE hThread = NULL;
+
+	THREADENTRY32 te32;
+	te32.dwSize = sizeof(te32);
+
+	Thread32First(hSnapshot, &te32);
+	while (Thread32Next(hSnapshot, &te32))
+	{
+		if (te32.th32OwnerProcessID == processId)
+		{
+			hThread = OpenThread(THREAD_SET_CONTEXT | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, FALSE, te32.th32ThreadID);
+			if (!hThread)
+			{
+				printf("[-] Failed to open hijack thread. (0x%X)\n", GetLastError());
+				VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+				VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+				VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE);
+				return false;
+			}
+			break;
+		}
+	}
+	CloseHandle(hSnapshot);
+
+	if (SuspendThread(hThread) == (DWORD)-1) //https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/
+	{
+		printf("[-] Suspend thread failed. (0x%X)\n", GetLastError());
+		CloseHandle(hThread);
+		VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE);
+		return false;
+	}
+
+	CONTEXT ctx;
+	ctx.ContextFlags = CONTEXT_FULL;
+
+	if (!GetThreadContext(hThread, &ctx))
+	{
+		printf("[-] Retrieve thread context failed. (0x%X)\n", GetLastError());
+		ResumeThread(hThread);
+		CloseHandle(hThread);
+		VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE);
+		return false;
+	}
+
+#ifdef _WIN64
+	BYTE code[] =
+	{
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
+		0x83, 0xEC, 0x08, 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00,
+		0x00, 0xC7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00,
+		0x50, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52,
+		0x41, 0x53, 0x9C, 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x48, 0xB9, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xEC, 0x20,
+		0xFF, 0xD0,	0x48, 0x83, 0xC4, 0x20, 0x48, 0x8D, 0x0D,
+		0xB4, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x01, 0x9D, 0x41,
+		0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5A, 0x59,
+		0x58, 0xC6, 0x05, 0xA9, 0xFF, 0xFF, 0xFF, 0x00, 0xC3
+	};
+
+	DWORD funcOffset = 0x08;
+	DWORD checkByteOffset = 0x03 + funcOffset;
+
+	*reinterpret_cast<DWORD*>(code + 0x07 + funcOffset) = (DWORD)(ctx.Rip & 0xFFFFFFFF);
+	*reinterpret_cast<DWORD*>(code + 0x0F + funcOffset) = (DWORD)((ctx.Rip >> 0x20) & 0xFFFFFFFF);
+	*reinterpret_cast<void**>(code + 0x21 + funcOffset) = shellCode;
+	*reinterpret_cast<void**>(code + 0x2B + funcOffset) = targetBase;
+
+	ctx.Rip = reinterpret_cast<ULONG_PTR>(codeCave) + funcOffset;
+#else
+	BYTE code[] =
+	{
+		0x00, 0x00, 0x00, 0x00, 0x83, 0xEC, 0x04, 0xC7, 0x04,
+		0x24, 0x00, 0x00, 0x00, 0x00, 0x50, 0x51, 0x52, 0x9C,
+		0xB9, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00,
+		0x00, 0x51, 0xFF, 0xD0, 0xA3, 0x00, 0x00, 0x00, 0x00,
+		0x9D, 0x5A, 0x59, 0x58, 0xC6, 0x05, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0xC3
+	};
+
+	DWORD funcOffset = 0x04;
+	DWORD checkByteOffset = 0x02 + funcOffset;
+
+	*reinterpret_cast<DWORD*>(code + 0x06 + funcOffset) = ctx.Eip;
+	*reinterpret_cast<void**>(code + 0x0F + funcOffset) = targetBase;
+	*reinterpret_cast<void**>(code + 0x14 + funcOffset) = shellCode;
+	*reinterpret_cast<void**>(code + 0x1C + funcOffset) = codeCave;
+	*reinterpret_cast<BYTE**>(code + 0x26 + funcOffset) = reinterpret_cast<BYTE*>(codeCave) + checkByteOffset;
+
+	ctx.Eip = reinterpret_cast<DWORD>(codeCave) + funcOffset;
+#endif
+
+	if (!WriteProcessMemory(hProcess, codeCave, code, sizeof(code), NULL))
+	{
+		printf("[-] Shellcode injection failed. (0x%X)\n", GetLastError());
+		ResumeThread(hThread);
+		CloseHandle(hThread);
+		VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE);
+		return false;
+	}
+
+	if (!SetThreadContext(hThread, &ctx))
+	{
+		printf("[-] Hijacking failed. (0x%X)\n", GetLastError());
+		ResumeThread(hThread);
+		CloseHandle(hThread);
+		VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE);
+		return false;
+	}
+
+	if (ResumeThread(hThread) == (DWORD)-1)
+	{
+		printf("[-] Resume thread failed. (0x%X)\n", GetLastError());
+		CloseHandle(hThread);
+		VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE);
+		VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE);
+		return false;
+	}
+
+	CloseHandle(hThread);
+}
diff --git a/Kruzinjector/Execution.h b/Kruzinjector/Execution.h
@@ -0,0 +1,5 @@
+#pragma once
+#include "Includes.h"
+
+bool HijackThread(HANDLE hProcess, void* shellCode, void* targetBase);
+bool CreateThreadEx(HANDLE hProcess, void* shellCode, void* targetBase);
diff --git a/Kruzinjector/Includes.h b/Kruzinjector/Includes.h
@@ -0,0 +1,33 @@
+#pragma once
+#include <Windows.h>
+#include <iostream>
+#include <fstream>
+#include <TlHelp32.h>
+#include <vector>
+#include <string>
+#include <sstream>
+
+#include "rapidxml/rapidxml.hpp"
+
+#define FLAG32(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_HIGHLOW)
+#define FLAG64(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_DIR64)
+
+#ifdef _WIN64
+#define MACHINE_ARC IMAGE_FILE_MACHINE_AMD64
+#define RELOC_FLAG FLAG64
+#else
+#define MACHINE_ARC IMAGE_FILE_MACHINE_I386
+#define RELOC_FLAG FLAG32
+#endif
+
+enum INJECTION_TYPE
+{
+	T_LoadLibrary,
+	T_ManualMap,
+};
+
+enum EXECUTION_METHOD
+{
+	M_NtCreateThreadEx,
+	M_ThreadHijacking
+};
diff --git a/Kruzinjector/Kruzinjector.vcxproj b/Kruzinjector/Kruzinjector.vcxproj
@@ -29,26 +29,26 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v143</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v143</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v143</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v143</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
@@ -110,7 +110,7 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>TurnOffAllWarnings</WarningLevel>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>
@@ -123,6 +123,7 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@@ -157,19 +158,23 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="appmain.cpp" />
-    <ClCompile Include="Bypass.cpp" />
+    <ClCompile Include="Execution.cpp" />
     <ClCompile Include="ManualMap.cpp" />
-    <ClCompile Include="Standart.cpp" />
+    <ClCompile Include="LoadLibrary.cpp" />
+    <ClCompile Include="Utils.cpp" />
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="Bypass.h" />
+    <ClInclude Include="Execution.h" />
+    <ClInclude Include="Includes.h" />
     <ClInclude Include="ManualMap.h" />
     <ClInclude Include="resource.h" />
-    <ClInclude Include="Standart.h" />
+    <ClInclude Include="LoadLibrary.h" />
+    <ClInclude Include="Utils.h" />
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="Kruzinjector.rc" />

diff --git a/Kruzinjector/Kruzinjector.vcxproj.filters b/Kruzinjector/Kruzinjector.vcxproj.filters
@@ -13,41 +13,44 @@
       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
     </Filter>
-    <Filter Include="Header Files\ManualMap">
-      <UniqueIdentifier>{4b850bcc-2e2b-4d6e-b97c-53d6a9fb635c}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="Header Files\Standart">
-      <UniqueIdentifier>{407d2a6f-e975-4293-9950-6047ad4ceba3}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="Header Files\Bypass">
-      <UniqueIdentifier>{df90de97-9ca6-4a81-b15d-34d52741e5f9}</UniqueIdentifier>
+    <Filter Include="Header Files\Resources">
+      <UniqueIdentifier>{1f2e0c8a-ee0e-4a5c-b3e4-2c09ffbf73a6}</UniqueIdentifier>
     </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="appmain.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="Standart.cpp">
-      <Filter>Header Files\Standart</Filter>
-    </ClCompile>
-    <ClCompile Include="Bypass.cpp">
-      <Filter>Header Files\Bypass</Filter>
+    <ClCompile Include="LoadLibrary.cpp">
+      <Filter>Header Files</Filter>
     </ClCompile>
     <ClCompile Include="ManualMap.cpp">
-      <Filter>Header Files\ManualMap</Filter>
+      <Filter>Header Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Utils.cpp">
+      <Filter>Header Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Execution.cpp">
+      <Filter>Header Files</Filter>
     </ClCompile>
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="LoadLibrary.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="ManualMap.h">
-      <Filter>Header Files\ManualMap</Filter>
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="resource.h">
+      <Filter>Header Files\Resources</Filter>
     </ClInclude>
-    <ClInclude Include="Standart.h">
-      <Filter>Header Files\Standart</Filter>
+    <ClInclude Include="Utils.h">
+      <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="Bypass.h">
-      <Filter>Header Files\Bypass</Filter>
+    <ClInclude Include="Includes.h">
+      <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="resource.h">
+    <ClInclude Include="Execution.h">
       <Filter>Header Files</Filter>
     </ClInclude>
   </ItemGroup>

diff --git a/Kruzinjector/LoadLibrary.cpp b/Kruzinjector/LoadLibrary.cpp
@@ -0,0 +1,39 @@
+#include "LoadLibrary.h"
+#include "Execution.h"
+
+bool ILoadLibrary(HANDLE hProcess, const char* dllFile, EXECUTION_METHOD execution)
+{
+	DWORD exitCode;
+	if (!GetExitCodeProcess(hProcess, &exitCode))
+	{
+		printf("[-] Process is not valid. (0x%X)\n", GetLastError());
+		CloseHandle(hProcess);
+		return false;
+	}
+
+	void* memory = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	if (!memory)
+	{
+		printf("[-] Memory failed to allocate. (0x%X)\n", GetLastError());
+		CloseHandle(hProcess);
+		return false;
+	}
+
+	if (!WriteProcessMemory(hProcess, memory, dllFile, strlen(dllFile) + 1, 0))
+	{
+		printf("[-] Write process memory failed. (0x%X)\n", GetLastError());
+		CloseHandle(hProcess);
+		return false;
+	}
+
+	if (execution == M_NtCreateThreadEx)
+	{
+		CreateThreadEx(hProcess, LoadLibraryA, memory);
+	}
+	else if (execution == M_ThreadHijacking)
+	{
+		HijackThread(hProcess, LoadLibraryA, memory);
+	}
+
+	return true;
+}
diff --git a/Kruzinjector/LoadLibrary.h b/Kruzinjector/LoadLibrary.h
@@ -0,0 +1,4 @@
+#pragma once
+#include "Includes.h"
+
+bool ILoadLibrary(HANDLE hProcess, const char* dllFile, EXECUTION_METHOD execution);